diff --git a/doc/sgml/oper-guide/config.sgml b/doc/sgml/oper-guide/config.sgml
index fc44fb73..4c6207ff 100644
--- a/doc/sgml/oper-guide/config.sgml
+++ b/doc/sgml/oper-guide/config.sgml
@@ -410,6 +410,12 @@ auth {
Users in this auth{} block must have identd, otherwise they will be rejected.
+
+ need_ssl
+
+ Users in this auth{} block must be connected via SSL/TLS, otherwise they will be rejected.
+
+
need_sasl
@@ -442,6 +448,33 @@ exempt {
+
+ privset {} block
+
+privset {
+ extends = "name";
+ privs = list;
+};
+
+ A privset (privilege set) block specifies a set of
+ operator privileges.
+
+
+ privset {} variables
+
+ extends
+
+ An optional privset to inherit. The new privset will have all privileges that the given privset has.
+
+
+
+ privs
+
+ Privileges to grant to this privset. These are described in the operator privileges section.
+
+
+
+
operator {} block
@@ -510,19 +543,35 @@ operator "name" {
- flags
+ privset
- A listing of privileges granted to operators using this block.
- By default, the mass_notice, operwall, remoteban and resv privileges are granted;
- use ~mass_notice, ~operwall, ~remoteban and ~resv to disable them if necessary.
-
-
- In addition, a flag designating if the password is encrypted is here.
- Privileges are documented elsewhere in this guide.
+ The privilege set granted to successfully opered clients.
+ This must be defined before this operator{} block.
+
+ flags
+
+ A list of flags to apply to this operator{} block. They are listed below.
+
+
+
+
+ operator {} flags
+
+ encrypted
+
+ The password used has been encrypted. This is enabled by default, use ~encrypted to disable it.
+
+
+
+ need_ssl
+
+ Restricts use of this operator{} block to SSL/TLS connections only.
+
+
diff --git a/doc/sgml/oper-guide/oprivs.sgml b/doc/sgml/oper-guide/oprivs.sgml
index fb5213e4..1e776b1b 100644
--- a/doc/sgml/oper-guide/oprivs.sgml
+++ b/doc/sgml/oper-guide/oprivs.sgml
@@ -3,12 +3,10 @@
Meanings of oper privileges
- These are flags in operator{}.
- The letter appears after opering up and in /stats o; an uppercase
- letter means the privilege is possessed, lowercase means it is not.
+ These are specified in privset{}.
- admin (A), server administrator
+ oper:admin, server administrator
Various privileges intended for server administrators.
Among other things, this automatically sets umode +a and allows
@@ -16,7 +14,7 @@
- remoteban (B), set remote bans
+ oper:remoteban, set remote bans
This grants the ability to use the ON argument on
DLINE/KLINE/XLINE/RESV and UNDLINE/UNKLINE/UNXLINE/UNRESV to set
@@ -26,46 +24,46 @@
If a cluster{} block is present, bans are sent remotely even
- if the oper does not have remoteban privilege.
+ if the oper does not have oper:remoteban privilege.
- local_kill (C), kill local users
+ oper:local_kill, kill local users
This grants permission to use KILL on users on the same server,
disconnecting them from the network.
- die (D), die and restart
+ oper:die, die and restart
This grants permission to use DIE and RESTART, shutting down
or restarting the server.
- rehash (H), rehash
+ oper:rehash, rehash
Allows using the REHASH command, to rehash various configuration
files or clear certain lists.
- kline (K), kline and dline
+ oper:kline, kline and dline
Allows using KLINE and DLINE, to ban users by user@host mask
or IP address.
- operwall (L), send/receive operwall
+ oper:operwall, send/receive operwall
Allows using the OPERWALL command and umode +z to send and
receive operwalls.
- mass_notice (M), global notices and wallops
+ oper:mass_notice, global notices and wallops
Allows using server name ($$mask) and hostname ($#mask) masks in
NOTICE and PRIVMSG to send a message to all matching users, and
@@ -74,20 +72,20 @@
- nick_changes (N), see nick changes
+ snomask:nick_changes, see nick changes
Allows using snomask +n to see local client nick changes.
This is designed for monitor bots.
- global_kill (O), global kill
+ oper:global_kill, global kill
Allows using KILL on users on any server.
- hidden_oper (P), hide from /stats p
+ oper:hidden, hide from /stats p
This privilege currently does nothing, but was designed
to hide bots from /stats p so users will not message them
@@ -95,14 +93,14 @@
- resv (Q), channel control
+ oper:resv, channel control
This allows using /resv, /unresv and changing the channel
modes +L and +P.
- remote (R), remote routing
+ oper:remote, remote routing
This allows using the third argument of the CONNECT command, to
instruct another server to connect somewhere, and using SQUIT
@@ -111,7 +109,7 @@
- oper_spy (S), use operspy
+ oper:spy, use operspy
This allows using /mode !#channel, /whois !nick, /who !#channel,
/chantrace !#channel, /who !mask, /masktrace !user@host :gecos
@@ -133,27 +131,24 @@
- unkline (U), unkline and undline
+ oper:unkline, unkline and undline
Allows using UNKLINE and UNDLINE.
- xline (X), xline and unxline
+ oper:xline, xline and unxline
Allows using XLINE and UNXLINE, to ban/unban users by realname.
- hidden_admin, hidden administrator
+ oper:hidden_admin, hidden administrator
This grants everything granted to the admin privilege,
- except the ability to set umode +a. If both admin and hidden_admin
+ except the ability to set umode +a. If both oper:admin and oper:hidden_admin
are possessed, umode +a can still not be used.
-
- This privilege does not appear in /stats o or oper up notices.
-